The Telnet server does not return an expected number of replieswhen it receives a long sequence of 'Are You There' commands.This probably means it overflows one of its internal buffers andcrashes. It is likely an attacker could abuse this bug to gaincontrol over the remote host's superuser.

The remote DNS server answers to queries for third party domains which do not have the recursion bit set.

This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have beenrecently visited.

For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they wouldbe able to use this attack to build a statistical model regardingcompany usage of aforementioned financial institution. Of course,the attack can also be used to find B2B partners, web-surfing patterns,external mail servers, and more...

The remote host is running BIND, an open-source DNS server. It is possibleto extract the version number of the remote installation by sendinga special DNS request for the text 'version.bind' in the domain 'chaos'.

Solution :

It is possible to hide the version number of bind by using the 'version'directive in the 'options' section in named.conf

Risk factor :

None

Plugin output:

The version of the remote BIND server is : 9.3.2-P1Other references : OSVDB:23

Some antivirus scanners dies when they process an email with a too long string without line breaks.Such a message was sent. If there is an antivirus on your MTA,it might have crashed. Please check its status right now, as it is not possible to do it remotely

Some antivirus scanners dies when they process an email with a too long string without line breaks.Such a message was sent. If there is an antivirus on your MTA,it might have crashed. Please check its status right now, as it is not possible to do it remotely

The remote Apache server can be used to guess the presence of a givenuser name on the remote host.

Description :

When configured with the 'UserDir' option, requests to URLs containinga tilde followed by a username will redirect the user to a givensubdirectory in the user home.

For instance, by default, requesting /~root/ displays the HTMLcontents from /root/public_html/.

If the username requested does not exist, then Apache will reply witha different error code. Therefore, an attacker may exploit thisvulnerability to guess the presence of a given user name on the remotehost.

The 'ident' service provides sensitive information to potential attackers. It mainly says which accounts are running which services. This helps attackers to focus on valuable services (thoseowned by root). If you do not use this service, disable it.

Solution : Under Unix systems, comment out the 'auth' or 'ident' line in /etc/inetd.conf and restart inetd

The remote host is running the 'rsh' service. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rsh client and the rsh server. This includes logins and passwords.

Also, it may allow poorly authenticated logins without passwords. If the host is vulnerable to TCP sequence number guessing (from any network)or IP spoofing (including ARP hijacking on a local network) then it may be possible to bypass authentication.

Finally, rsh is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv files.